Handling Authentication and Authorization in Express.js
Authentication and authorization are crucial aspects of any web application. In Express.js, a popular web application framework for Node.js, handling authentication and authorization is relatively easy. In this article, we will discuss how to handle authentication and authorization in Express.js using various techniques and middleware.
Authentication is the process of verifying the identity of a user, while authorization is the process of determining whether a user has the necessary permissions to access certain resources or perform specific actions within the application. In Express.js, middleware is used to handle authentication and authorization.
Basic Authentication in Express.js
One of the simplest ways to implement authentication in Express.js is through Basic Authentication. Basic Authentication involves the use of a username and password to access protected resources. In Express.js, the `basic-auth` package can be used to implement basic authentication. First, install the `basic-auth` package using npm:
“`
npm install basic-auth
“`
Next, create a middleware function that uses the `basic-auth` package to authenticate users:
“`javascript
const auth = require(‘basic-auth’);
const users = {
‘username’: ‘password’
};
function basicAuth(req, res, next) {
const user = auth(req);
if (!user || !users[user.name] || users[user.name] !== user.pass) {
res.set(‘WWW-Authenticate’, ‘Basic realm=Authorization Required’);
return res.status(401).send(‘Unauthorized’);
}
return next();
}
module.exports = basicAuth;
“`
In this example, we create a middleware function `basicAuth` that checks the credentials provided by the user against a predefined list of users. If the credentials are invalid, a 401 Unauthorized response is sent. Otherwise, the next middleware function is called.
To use the `basicAuth` middleware in a route, simply pass it as an argument to the route handler:
“`javascript
app.get(‘/protected-route’, basicAuth, (req, res) => {
// Handle protected route
});
“`
With this setup, the `/protected-route` endpoint requires users to provide a valid username and password to access it.
Token-based Authentication in Express.js
Another commonly used authentication method in Express.js is token-based authentication. In token-based authentication, a token is generated during the authentication process and subsequently used to authenticate the user for all subsequent requests. The `jsonwebtoken` package can be used to implement token-based authentication in Express.js.
First, install the `jsonwebtoken` package using npm:
“`
npm install jsonwebtoken
“`
Next, create a middleware function that generates a token for authenticated users:
“`javascript
const jwt = require(‘jsonwebtoken’);
const secret = ‘mysecret’;
function generateToken(user) {
const payload = {
id: user.id,
username: user.username
};
return jwt.sign(payload, secret, { expiresIn: ‘1h’ });
}
module.exports = generateToken;
“`
In this example, we create a `generateToken` function that takes a user object as an argument and generates a JSON Web Token (JWT) using the `jsonwebtoken` package. The generated token contains a payload with the user’s id and username, and expires in 1 hour.
To authenticate users using token-based authentication, create a middleware function that verifies the token and attaches the user object to the request object:
“`javascript
function verifyToken(req, res, next) {
const token = req.headers[‘authorization’];
if (!token) {
return res.status(403).send(‘No token provided’);
}
jwt.verify(token, secret, (err, decoded) => {
if (err) {
return res.status(401).send(‘Unauthorized’);
}
req.user = decoded;
next();
});
}
module.exports = verifyToken;
“`
In this example, we create a `verifyToken` middleware function that checks for the presence of a token in the `Authorization` header of the request. If a token is present, it is verified using the `jsonwebtoken` package. If the token is valid, the user object is attached to the request object and the next middleware function is called.
To use the `verifyToken` middleware in a route, simply pass it as an argument to the route handler:
“`javascript
app.get(‘/protected-route’, verifyToken, (req, res) => {
// Handle protected route
});
“`
With this setup, the `/protected-route` endpoint requires users to provide a valid token to access it.
Role-based Authorization in Express.js
In addition to authentication, it is often necessary to implement role-based authorization in web applications. Role-based authorization ensures that users have the necessary permissions to access specific resources or perform certain actions within the application. In Express.js, role-based authorization can be implemented using middleware and user roles.
First, define user roles and assign them to users:
“`javascript
const users = [
{ id: 1, username: ‘user1’, role: ‘user’ },
{ id: 2, username: ‘user2’, role: ‘admin’ }
];
“`
Next, create a middleware function that checks the user’s role against the required role for a specific resource:
“`javascript
function authorize(role) {
return (req, res, next) => {
const user = users.find(user => user.id === req.user.id);
if (!user || user.role !== role) {
return res.status(403).send(‘Forbidden’);
}
next();
};
}
module.exports = authorize;
“`
In this example, we create an `authorize` middleware function that takes a role as an argument and returns a new middleware function. The returned middleware function checks if the user’s role matches the required role for the resource. If the user’s role is not authorized, a 403 Forbidden response is sent. Otherwise, the next middleware function is called.
To use the `authorize` middleware in a route, simply pass it as an argument to the route handler:
“`javascript
app.get(‘/admin-route’, verifyToken, authorize(‘admin’), (req, res) => {
// Handle admin route
});
“`
With this setup, the `/admin-route` endpoint requires users with an `admin` role to access it.
Conclusion
In this article, we have discussed how to handle authentication and authorization in Express.js using various techniques and middleware. We have covered basic authentication, token-based authentication, and role-based authorization, each of which plays a crucial role in securing web applications. By applying these techniques, you can ensure that only authenticated and authorized users have access to protected resources within your Express.js application.